Meraki

Community

AuthN issues with EAP-TLS via Access Manager

ygurra1
Here to help
‎Oct 22 2025 8:32 AM
‎Oct 22 2025 8:32 AM

AuthN issues with EAP-TLS via Access Manager

Hello Team,

 

We are trying to adapt the Access Manager to our organization and we successfully did so for EAP-TTLS ( authN via username and password ) however we're experiencing issues with authN via certificate ( EAP-TLS method ). We have followed the documentations below but still with no success as we're receiving the following errors:

ygurra1_0-1761146953075.png



This indicates something on suplicant side even though we have looked carefully many times to be aligned with the documentation. Could you please provide us any hint what we could miss here ? 

 

These are the documentations we've been following:
https://documentation.meraki.com/Access_Manager/Access_Manager_Configuration_Guides/EAP-TLS_Certific...
https://documentation.meraki.com/Access_Manager/Access_Manager_Configuration_Guides/EAP-TLS_Client_C...

Thanks in advance

0 Kudos
4 Replies 4
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 22 2025 9:34 AM
‎Oct 22 2025 9:34 AM

Have you tried temporarily disabling server certificate validation to test if the chain of trust is the issue?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 22 2025 12:21 PM
‎Oct 22 2025 12:21 PM

Since the supplicant is not responding - you need to look at that end.  For example, if it is a Windows machine, check the event viewer.

 

Make sure the machine has a valid user/machine certificate.  What are you using to issue your certificates?

 

ygurra1
Here to help
Monday
Monday

Hi @alemabrahao & @PhilipDAth,

Thanks for your valuable answers. We discovered that we were trying to validate a user group match in Entra ID at the same time as the machine certificate. This didn't work, likely because the machine certificate has no relationship with user groups in Entra ID.

Is there a way to check both simultaneously? My goal is to use dynamic VLAN assignment based on the user's group membership. 

Thanks in advance!

0 Kudos
In response to ygurra1
PhilipDAth
Kind of a big deal
Kind of a big deal
Monday
Monday

Deploy user certificates and match on those instead of machine certificates.

 

I have not tested it, but you could see if TEAP is supported.  TEAP supports doing both machine and user authentication.

 

However, if you deployed a user certificate to a trusted machine - the machine is already trusted.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2026 Cisco Systems, Inc.